I compromised an ecommerce server and they have a local instance of mysql on it. I can leverage access to the sql server which is supposed to be back end (stupid designer). There is data everywhere but there seems to be a maskings on the credit card numbers. How can I find out how the data is masked so I Can use the credit card numbers? Any ideas they appear like this!

Well it's really dependent on what your definition of permission is. The ecommerce server belongs to a friends uncles brothers company who mentioned his desire to have someone look at the security of the system. We discussed a price of $18,000 and I started yesterday.

I am sorry, I should have said the ethical hacking community as a whole has established rules for pentesting. There are legal complications when you do a pentest and you need to protect yourself and your client.

So your friends uncles company mentioned it, and you discussed a price of $18,000, but did he actually sign a contract with you? And that contract says that you can not only, as you put it, look at the security of the system, but also get full credit card numbers?

If the uncle or the owner of the company did that, they would be in big legal trouble and lose their business. So I doubt that is the case. And if you are a professional pen tester, you should have told him that you would under no circumstance do that. Hell if for no other reason than you would never get paid if his company folded.

If you simply want to remove the asterisks from a MySQL table, maybe you should ask the same exact question using the same exact words in a MySQL Support Forum.